SEC642: Advanced Web App Penetration Testing and Ethical Hacking

I would definitely recommend SEC642 to my colleagues. It's a very useful course for penetration testers.

Moguh Kuma M, Intuit

Great class! I would recommend SEC642 to anyone.

Chris Grimes, IBM

This course is designed to teach you the advanced skills and techniques required to test web applications today. This advanced pen testing course uses a combination of lecture, real-world experiences, and hands-on exercises to educate you in the techniques used to test the security of enterprise applications. The final day of the course culminates in a Capture the Flag event, which tests the knowledge you will have acquired the previous five days.

We will begin by exploring specific techniques and attacks to which applications are vulnerable. These techniques and attacks use advanced ideas and skills to exploit the system through various controls and protections. This learning will be accomplished through lectures and exercises using real-world applications.

We will then explore encryption as it relates to web applications. You will learn how encryption works as well as techniques to identify the type of encryption in use within the application. Additionally, you will learn methods for exploiting or abusing this encryption, again through lecture and labs.

The next day of class will focus on how to identify web application firewalls, filtering, and other protection techniques. You will then learn methods to bypass these controls in order to exploit the system. You'll also gain skills in exploiting the control itself to further the evaluation of the security within the application.

Following these general exploits, you will learn techniques that target specific enterprise applications. You will attack systems such as content management and ticketing systems. We will explore the risks and flaws found within these systems and how to better exploit them. This part of the course will also include web services and mobile applications due to their prevalence within modern organizations.

This information packed advanced pen testing course will wrap up with a full day Capture the Flag (CtF) event. This CtF will target an imaginary organization's web applications and will include both Internet and intranet applications of various technologies. This event is designed to allow you to put the pieces together from the previous five days reinforcing the information and learning you will have gained.

The SANS promise is that you will be able to use these ideas immediately upon returning to the office in order to better perform penetration tests of your web applications and related infrastructure. This course will enhance your exploitation and defense skill sets as well as fulfill a need to teach more advanced techniques than can be covered in the foundational course, Security 542: Web Application Penetration Testing and Ethical Hacking.

An understanding of advanced web penetration techniques

Skills to test and exploit specific target environments such as content management systems and infrastructure applications

Understanding of encryption and its usage within web applications

Methods to recognize and bypass application, platform, and WAF defendses

Course Syllabus

SEC642.1: Advanced Discovery and Exploitation

Overview

As applications and their vulnerabilities become more complex, penetration testers have to be able to handle these targets. We will begin the class by exploring how Burp Suite works and more advanced ways to use it within your penetration-testing processes. The exploration of Burp Suite will focus on its ability to work within the traditional web penetration testing methodology and assist in manually discovering the flaws within the target applications.

Following this discussion, we will move into studying specific vulnerability types. This examination will explore some of the more advanced techniques for finding server-based flaws such as SQL injection. After discovering the flaws, we will then work through various ways to exploit these flaws beyond the typical means exhibited today. These advanced techniques will help penetration testers show the risks the flaws expose an organization to.

SEC642.2: Discovery and Exploitation for Specific Applications

Overview

We will continue the exploration of advanced discovery and exploitation techniques. We'll start by exploring client-side flaws such as cross-site scripting (XSS) and cross-site request forgery (XSRF). We will explore some of the more advanced methods for discovering these issues. After finding the flaws, you will learn some of the more advanced methods of exploitation, such as scriptless attacks and building web-based worms using XSRF and XSS flaws within an application.

During the next part of the day we'll explore various popular applications and frameworks and how they change the discovery techniques within a web penetration test. This section of the class examines applications such as SharePoint and WordPress. These specific targets have unique needs and features that make testing them both more complex and more fruitful for the tester. This section of the class will help you understand these differences and make use of them in your testing.

CPE/CMU Credits: 6

Topics

Discovering XSRF flaws within complex applications

Learning about DOM-based XSS flaws and how to find them within applications

Exploiting XSS using scriptless injections

Bypassing anti-XSRF controls using XSS/XSRF worms

Attacking SharePoint installations

How to modify your test based on the target application

SEC642.3: Web Application Encryption

Overview

Cryptographic weaknesses are a common area where flaws are present, yet few penetration testers have the skill to investigate, attack and exploit these flaws. When we investigate web application crypto attacks, we typically target the implementation and use of cryptography in modern web applications. Many popular web programming languages or development frameworks make encryption services available to the developer, but do not inherently protect encrypted data from being attacked, or permit the developer to use cryptography in a weak manner. These implementation mistakes are going to be our focus in this section, as opposed to the exploitation of deficiencies in the cryptographic algorithms themselves. We will also explore the various ways applications use encryption and hashing insecurely. Students will learn how techniques such as identifying what the encryption technique is to how to exploit various flaws within the encryption or hashing.

CPE/CMU Credits: 6

Topics

Explore how to identify the cryptography used in the web application

Discover how to analize and attack the encryption keys

Exploiting stream cipher IV collisions

Exploiting Electronic Codebook (ECB) Mode Ciphers with block suffling

Exploiting Cipher Block Chaining (CBC) Mode with bit flipping

SEC642.4: Mobile Applications and Web Services

Overview

Web applications are no longer limited to the traditional HTML based interface. Web services and mobile applications have become more common and are regularly being used to attack client and organizations. As such, it has become very important that penetration testers understand how to evaluate the security of these systems. After finishing up our discussion on cryptography attacks, you will learn how to build a test environment for testing web services for used by mobile applications. We will also explore various techniques to discover flaws within the applications and backend systems. These techniques will make use of tools such as Burp Suite and other automated toolsets.

CPE/CMU Credits: 6

Topics

Attacking CBC chosen plaintext

Exploiting CBC with padding oracles

Understanding the mobile platforms and architectures

Intercepting traffic to web services and from mobile applications

Building a test environment

Penetration testing of web services

SEC642.5: Web Application Firewall and Filter Bypass

Overview

Today, applications are using more security controls to help prevent attacks. These controls, such as Web Application Firewalls and filtering techniques, make it more difficult for penetration testers during their testing. These controls block many of the automated tools and simple techniques used to discover flaws today. This day you will explore techniques used to map the control and how it is configured to block attacks. You'll be able to map out the rule sets and determine the specifics of how it detects attacks. This mapping will then be used to determine attacks that will bypass the control. You'll use HTML5, UNICODE and other encodings that will enable your discovery techniques to work within the protected application.

CPE/CMU Credits: 6

Topics

Understanding of web application firewalling and filtering techniques

Explore how to determine the rule sets protecting the application

Learn how HTML5 injections work

Discover the use of UNICODE and other encodings

SEC642.6: Capture the Flag

Overview

During day six of the class you will be placed on a network and given the opportunity to complete an entire penetration test. The goal of this capture the flag event is for you to explore the techniques, tools, and methodology you will have learned over the last five days. You'll be able to use these ideas and methods against a realistic extranet and intranet. At the end of the day, you will provide a verbal report of the findings and methodology you followed to complete the test. Students will be provided with a virtual machine that contains the Samurai Web Testing Framework web penetration-testing environment. You will be able to use this both in the class and after leaving and returning to your jobs.

CPE/CMU Credits: 6

Additional Information

Laptop Required

Latest VMware Player, VMware Workstation, or VWware Fusion pre-installed before class begins. Other virtualization software such as Parallels or VirtualBox will probably work if the attendee is familiar with its functionality, however VMware Player should be prepared as a backup just in case.

Ability to disable all security software on their laptop such as Antivirus and/or firewalls

At least twenty (20) GB of hard drive space

At least four (4) GB of RAM

An Ethernet port or Ethernet adapter to plug into a private, in-class network.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Web penetration testers

Security consultants

Developers

QA testers

System administrators

IT managers

System architects

Prerequisites

This course assumes that you have a solid understanding of web penetration techniques and methodologies. You should be familiar with the HTTP protocol, HTML, web applications, and a scripting language such as Python. Successful completion of the GWAPT certification or having attended the SEC542 class would fulfill these prerequisites.

What You Will Receive

A copy of the Samurai Web Testing Framework (SamuraiWTF) which includes some of the latest and greatest opensource penetration testing tools for web application testing

Six course booklet including course slides, student notes, and multiple hands-on exercises for each day

You Will Be Able To

Assess and attack complex modern applications

Understand the special testing and exploits available against content management systems such as SharePoint and WordPress

Use techniques to identify and attack encryption within applications

Identify and bypass web application firewalls and application filtering techniques to exploit the system

Use exploitation techniques learned in class to perform advanced attacks against web application flaws such as XSS, SQL injection and CSRF

Press & Reviews

"This course is outstanding! I would highly recommend it to pen-testers that have already a good grasp on 542 content." - Mark Geeslin, Citrix

What To Take Next?

Courses that Lead-in

SEC542: Web App Penetration Testing and Ethical Hacking

DEV522: Defending Web Applications Security Essentials

SEC560: Network Penetration Testing and Ethical Hacking

Courses that are Pre-reqs

SEC542: Web App Penetration Testing and Ethical Hacking

Courses that are good follow-ups

SEC573: Python for Penetration Testers

SEC575: Mobile Device Security and Ethical Hacking

SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking

Author Statement

As web applications and their mobile counterparts become more complex and hardened against attack, penetration testers need to adjust the techniques they use to evaluate the security of these systems. This includes understanding how the various targets work, their usage of encryption and web application firewalling, and how to perform vulnerability discovery and exploitation against these items. This course is designed to expand past the methodology and focus on the "how" when we are presented with the challenges of web penetration testing.